1. Field of the Invention
The present invention is directed in general to wireless communication systems. In one aspect, the present invention relates to a method and system for managing cached keys for controlling security in a wireless communication device.
2. Related Art
Communication systems are known to support wireless and wire-lined communications between wireless and/or wire-lined communication devices. Such communication systems range from national and/or international cellular telephone systems to the Internet to point-to-point in-home wireless networks. Each type of communication system is constructed, and hence operates, in accordance with one or more communication standards. For instance, wireless communication systems may operate in accordance with one or more standards including, but not limited to, IEEE 802.11, Bluetooth (BT), advanced mobile phone services (AMPS), digital AMPS, global system for mobile communications (GSM), code division multiple access (CDMA), local multi-point distribution systems (LMDS), multi-channel-multi-point distribution systems (MMDS) and/or variations thereof.
Depending on the type of wireless communication system, a wireless communication device (such as a cellular telephone, two-way radio, personal digital assistant (PDA), personal computer (PC), laptop computer, home entertainment equipment, etc.) communicates directly or indirectly with other wireless communication devices. For direct communications (also known as point-to-point communications), the participating wireless communication devices tune their receivers and transmitters to the same channel or channels (e.g., one of the plurality of radio frequency (RF) carriers of the wireless communication system) and communicate over the tuned channel(s). For indirect wireless communications, each wireless communication device communicates directly with an associated base station (e.g., for cellular services) and/or an associated access point (e.g., for an in-home or in-building wireless network) via an assigned channel. To complete a communication connection between the wireless communication devices, the associated base stations and/or associated access points communicate with each other directly, via a system controller, via the public switched telephone network, via the Internet, and/or via some other wide area network.
Wireless networks based on the IEEE 802.11a, 802.11b, and 802.11g standards have become increasingly popular in homes, small offices, and public spaces such as airports and hotels because they eliminate the need for stringing cable. But concerns have been raised with regard to security shortcomings in those standards that may make them vulnerable to hackers located within range of these networks. A revised standard, referred to as IEEE 802.11i, provides improved security by implementing a security protocol called Robust Security Network, that includes improved key management and encryption/decryption protocols.
One of the difficulties encountered in wireless networking relates to maintaining connectivity between access points and a mobile station that is roaming within a wireless network. As the mobile device roams, it is necessary to abandon its connection with one access point and to establish a new connection with another access point. During the transition in the connection with the various access points, there can be a brief loss of connectivity that may result in the loss of data packets. In many cases, the packet loss will be noticeable to a user, especially when the user is running a real-time application. For some applications, such as TCP, the loss of even a single packet can result in a visible delay with a duration that far exceeds the actual connectivity gap between the wireless device and the various access points. The potential for data loss is exacerbated by a complicated authentication protocol that meets the enhanced security requirements of the 802.11i standard, while enabling a mobile station to change its connections to various access points while roaming within a wireless network.
Devices communicating in a wireless network utilize various security keys, such as the pairwise master key (PMK) defined in the IEEE 802.11i protocol. The current 802.11i protocol, however, only allows each PMK to be used at a single access point. When a station roams to a new access point, a new PMK must be obtained by the access point from the authentication-authorization-accounting (AAA) server, possibly incurring a long interruption of data flow during the roam.
The 802.11i protocol allows for the PMK to be cached by both the authenticator and supplicant, and for the PMK to be reused when a station reassociates to an access point for which the appropriate PMK is cached. This eliminates the need for a credential exchange which may take a long time (seconds or longer) to complete. The 802.11i protocol also provides a “pre-authentication” mechanism for a supplicant to exchange credentials and generate a PMK with an authenticator that is managing a different access point than the one to which the station is currently associated. This PMK can then be used as a cached PMK when the station eventually roams to the new access point. In all cases, a new PTK must be computed per association, requiring the exchange of nonce values. The PMK caching and pre-authentication mechanisms help reduce the time required to complete the security initialization when a station roams between access points, but are limited in the architectures that they can support.
Pre-authentication assumes that an authenticator is addressable using the basic service set ID (BSSID) of the access point as if it were the MAC address (layer 2 address) of the authenticator. While this is often true of groups of access points that are connected e.g., by a switched ethernet, access points within a given administrative domain may actually reside on separate networks that cannot be reached by layer 2 addressing. Additionally, the MAC address used by the authenticator may not be identical to the BSSID of the access point, which is a situation that the pre-authentication mechanism cannot accommodate.
PMK caching does not provide for architectures where the access point and authenticator are not necessarily housed in a single unit, especially when the authenticator may manage more than one access point (a “switch architecture”). The authenticator in such an architecture could use the same PMK across multiple access points, and derive a new PTK for each association of the station to any of the access points. There is no mechanism for the authenticator to communicate its intent to do this to the supplicant, and as a result “opportunistic” key caching approaches have been devised in which the supplicant attempts to reuse PMKs across associations to different access points.
Current proposals for improving roaming times in 802.11 networks have suggested modifying the key hierarchy to better accommodate switch architectures, and address some of the limitations of pre-authentication. The modification involves inserting additional derivation steps between the PMK and PTK, such that the PMK itself is never exposed beyond the original three parties that have access to it.
The first proposed modification comprises three different PMK derivatives (DPMKs) depending on the architecture in question, and allows for two additional levels of caching (first- and second-level DPMKs). The PTK is derived from any of the four PMKs, and the station must know the “path” that the derived PMK took in order to apply the appropriate transforms. The groups of authenticators and access points that have access to the PMK or its derivatives are referred to as key circles (KCs), and the path info is announced in information elements (IEs) as the Master Key Circle ID (MKCID) and the Related Key Circle ID (RKCID). This hierarchy presents security flaws, since the top level PMK can be used both to derive subordinate PMKs and to derive PTKs directly. Also, the station uses different inputs (fixed strings) to the derived PMK transforms depending on the path. However, the workload on the station is variable depending on the number of levels of derivation, so some cases would require less computation.
A proposed method for improving correcting this deficiency allows for a single PMK to be used across multiple access points, but only allows exactly two levels of separation between the AAA client and the access point. The AAA client receives the PMK from the AAA server, and then generates a derived pairwise master key (DPMK) for each controller for which it provides keys. The controller then generates a derived access point PMK (DA-PMK) for each access point for which it provides keys. These two levels (AAA client, controller) may not exist as separate hardware devices, but may be logical entities within an access point.
A second proposed modification that attempts to address the security issues discussed above and that also provides greater architectural symmetry is based on a key hierarchy which uses one final derived PMK from which the PTK is computed. The DPMK always goes through two levels of derivation, regardless of the system architecture (e.g., even if it is a controllerless/switchless network with “fat” access points that house the authenticator and AAA client functions). This approach eliminates the security concerns since the PMK/DPMK at each level is used only for one subordinate function—either to derive a lower level PMK or to derive a PTK, but not both. However, this approach requires that all implementations must always compute two levels of derivation. An additional issue with the proposed architecture is the implicit assumption that there is one controller per AAA client. The KCID is nominally the identifier for the controller, and is used as such in the derivation of the DPMK. However, the original KCID provided in the station's initial authentication message is used to identify the AAA client that holds the original PMK.
In view of the foregoing, there is a need for an improved method and apparatus for caching authentication codes used to establish data connections with stations roaming in wireless communication systems.